Sorry for nitpicking, but below are my corrections to the minutes. I can just send the updated version instead of a patch.
> ## Email TLS certs and EMAIL end-user certs, 15 minutes > Who will read? Ready for WGLC? > > Paul Hofman: I don't understand the proposed change > Alexey: At the moment service/port are single. If you wanted to issue multiple > ports (IMAP/IMAPS) it needs to be multiple requests. > Paul: I see no reason not to have multiple services. > Chaair: One array or two? > Alexey: One array > Richard: I'm confused. This document is talking about authenticating > DNS, but what would go into a certificate is a Domain. > Alexey: In theory you could issue SRV based IDs. In the most common use cases > that won't be used. Change to: In the most common use cases DNS IDs would be issued instead. > Richard: I think this should be updated to cover SRV. Insert: Alexey: SRV is already covered in the document. > DKG: I want to agree with Richard. If it's just on name, this is too complex. > Several steps need including > Alexey: For DNS there will be slightly specific service name. Change to: For DNS challenge, there service name is included in the DNS name used for the ACME challenge. (_<port>._<service>._acme-challenge.<domain> TXT record.) I think Richard also suggested to create a new DNS-based ACME challenge type. > DKG: If the cert being requested isn't specifically for the service, this > could open an attack to other services for other protocols > AI: Alexey to add some clarifying text, Richard to send some > AI: After next draft, WGLC; READ > > Paul Hoffman: These details aren't clear in the current draft. > Richard: We have a copy of layers of indirection, what I am least clear on is > the mapping of service to certificate. CA's may want to include SRV into the > cert if you show control of the domain. > Alexey: I'm hoping they'll issue certs with the port Change to: I'm hoping they'll issue certs with the service name > Richard: I suggest you implement SRV service IDs > Tim: SRV has been discussed but not implemented > Tim: The assumption all zones in a domain are controlled by the same identity > is no longer true. > Alexey: I am developing software that could develop software to validate > these, but first I need CAs to issue certs against this. Change to: I am developing client side software that validate these, but first I need CAs to issue certs against this. > > I think it is worth pointing out here that now we moved on to the S/MIME document: > Yaron: Are you expecting end user to perform this challenge? > Alexey: Yes, possibly through copy/pasting the challenge. Change the above 2: Yaron: Are you expecting end user to perform this challenge or email client? Alexey: Both. If email client doesn't support this natively, it is possible to copy&past the challenge to an external program and then create a reply with the calculated result. > Chair: Is there any provisiion for multiple clients? Alexey: yes > AI: Tim H and dkg said they would review _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
